Dev Notes

Software Development Resources by David Egan.

Apache Server Security on Ubuntu 16.04 Xenial


Apache, Linux, Security, Sysadmin, Ubuntu
David Egan

This article lists some sensible configuration defaults for Apache 2.4 on a Ubuntu 16.04 server. It explains how to apply these globally at the server level.

Objectives:

  1. Prevent the Apache server signature that is printed as part of a web request - this is not needed and gives would-be hackers info about your server
  2. Prevent direct access to certain files (e.g. .git, .json, .sql)
  3. Prevent directory browsing - don’t allow random strangers to sniff out your directory structure
  4. Disallow Apache overrides at the directory level (e.g. disallow config .htaccess files)

Note that if you disallow .htaccess files you’ll probably need to include suitable rewrite rules in each site’s Apache virtual host configuration. This is not only slightly more secure, it should be faster.

Global Apache Config

Open the Apache config file:

sudo nano /etc/apache2/conf-enabled/security.conf

Make the following changes:

#...
ServerTokens Prod

#...
Set ServerSignature Off

#...
# Add the following block:
# ==============================================================================
# Prevent access to any .git directory
# ==============================================================================
<DirectoryMatch "/\.git">
    Require all denied
</DirectoryMatch>
# ==============================================================================
# Protect a specified range of files from direct access
# ==============================================================================
<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|install\.php|php\.info|readme\.md|README\.md|readme\.html|bb-config\.php|\.htaccess|\.htpasswd|readme\.txt|timthumb\.php|error_log|error\.log|PHP_errors\.log|\.svn)">
    Require all denied
</FilesMatch>

# ==============================================================================
# Prevent access to JSON config files
# ==============================================================================
<FilesMatch "\.(json)$">
    Require all denied
</FilesMatch>

# ==============================================================================
# Prevent access to sql dumps: these should NOT be in your document root, but just in case...
# ==============================================================================
<FilesMatch "\.(sql)$">
    Require all denied
</FilesMatch>

# ==============================================================================
# Prevent xmlrpc attacks - if you're not using xmlrpc, block this file to avoid hack attempts
# ==============================================================================
<FilesMatch "^(xmlrpc\.php)">
  Require all denied
</FilesMatch>

Prevent Embedding and Sniffing

Set headers for all files served:

  • NOSNIFF header prevents IE mime-sniffing files
  • SAMEORIGIN header prevents embedding of content in different site

Note this modification will cause Apache to fail unless the headers module is enabled:

sudo a2enmod headers
# ...and restart Apache

Add the following to /etc/apache2/conf-enabled/security.conf:

# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
Header set X-Content-Type-Options: NOSNIFF

# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
Header set X-Frame-Options: SAMEORIGIN

Prevent Directory Browsing

Open the relevant config file for editing:

# Consider making a backup of the original first:
cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf.bak

# Open the file for editing:
sudo nano /etc/apache2/apache2.conf

Remove/Comment out:

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>

Add this block:

# ------------------------------------------------------------------------------
# Disable directory browsing
# ------------------------------------------------------------------------------
<Directory /var/www/>
        Options -Indexes
        Options FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>

…restart Apache:

sudo /etc/init.d/apache2 restart

Your Apache server should now be a bit more secure. The configuration settings have been applied globally - rather than in numerous .htaccess files at the directory level.

comments powered by Disqus